---
# Traefik Dynamic Middleware Configuration
# This file is watched by Traefik and changes are applied automatically

{% if security_enabled or authentik_enabled -%}
http:
  middlewares:
{% if security_enabled -%}
    # Production-Ready Security Headers Middleware
    # Use in service labels: traefik.http.routers.myservice.middlewares={{ traefik_security_middleware_name }}@file
    {{ traefik_security_middleware_name }}:
      headers:
        frameDeny: true
        browserXssFilter: true
        contentTypeNosniff: true
        sslRedirect: true
        forceSTSHeader: true
        stsSeconds: 31536000
        stsIncludeSubdomains: true
        stsPreload: true

{% endif -%}
{% if authentik_enabled -%}
    # Authentik Forward Auth Middleware
    # Use in service labels: traefik.http.routers.myservice.middlewares={{ traefik_authentik_middleware_name }}@file
    {{ traefik_authentik_middleware_name }}:
      forwardAuth:
        address: {{ authentik_outpost_url }}/outpost.goauthentik.io/auth/traefik
        trustForwardHeader: true
        authResponseHeaders:
          - X-authentik-username
          - X-authentik-groups
          - X-authentik-email
          - X-authentik-name
          - X-authentik-uid
          - X-authentik-jwt
          - X-authentik-meta-jwks
          - X-authentik-meta-outpost
          - X-authentik-meta-provider
          - X-authentik-meta-app
          - X-authentik-meta-version

{% endif -%}
{% else -%}
# No middlewares configured
# Uncomment the example below to add custom middlewares:
#
# http:
#   middlewares:
#     # Example: Rate limiting
#     rate-limit:
#       rateLimit:
#         average: 100
#         burst: 50
{% endif -%}
